The Stratfor hack is not over yet

Thanks to Anonymous and their Christmas hacking of Stratfor, I have not only had to change my credit card number and sign up for identity theft protection, I am also the target of spear phishing attacks.

This past weekend, I got the following message in my personal email account:

The message body is empty but there is a pdf attachment that I have yet to open. This is a spam message because the sending IP is not Stratfor’s but instead is 81.26.219.53, da.yourchance.nl. The sending domain is historyofpop.nl which passes an SPF check. There are a couple of ways to interpret this but it’s possible that domain is compromised and the spammer is sending mail from it.

The message looked very suspicious to me. An empty body? Sure, it passed an SPF check, but an empty body and a pdf attachment? Stratfor never sends mail like that, ever.

I have not opened up the pdf attachment yet. I suspect it is some sort of phishing message but something in the back of my head has kicked my paranoid meter into overdrive. I’m worried that even though I am nobody special, the attachment could be an Advanced Persistent Threat. Wasn’t RSA hacked in a similar manner last year when someone dug a message similar to that out of their spam folder?

So now this message just sits in my Stratfor folder, waiting, waiting, waiting. For what, I am not sure. Perhaps I will open it up on my Mac and have a look there. Hopefully it’s just a phishing attempt and nothing more than that.

Didier Stevens published pdf tools to help analyze suspicious pdf files (pdfid.py and pdf-parser.py). There's even a video "Analyzing a malicious PDF File" on his blog to help guide you through the process.